"Turn on two-factor authentication" is the most repeated advice in security, and it hides a decision nobody explains. When a site offers you a text-message code, an authenticator app, or a passkey, it is offering three different locks that stop three different burglars. Choosing between them at random means you may be defending against the wrong one.
Here is the ladder, from weakest to strongest, and the reasoning at each rung.
Rung one: text-message codes
SMS codes defend brilliantly against one attacker: the stranger far away who has your password from a breach but not your phone. Since that describes the most common attack, SMS two-factor is genuinely worth having, and if it is the only option a site offers, take it.
Its weakness is that the code goes to your phone number, not your phone. Your number can be stolen without anyone touching your device, through a SIM swap: a criminal persuades your carrier to move your number to their SIM, and every code meant for you arrives in their hands instead. The lock works until someone steals the door.
Rung two: authenticator apps
Authenticator apps generate six-digit codes on your device itself. The seed that produces them never travels over the phone network, so a SIM swap accomplishes nothing. The code exists in exactly one place: your hand.
What survives this rung is phishing. A convincing fake login page asks for your password and then, helpfully, "your 6-digit code." You read the genuine code off your genuine app and type it into the counterfeit page, and the attacker relays both to the real site within seconds. Nothing was intercepted. You were simply persuaded to hand over both keys, and thirty seconds of validity is plenty.
Rung three: passkeys and hardware keys
The top rung works on a different principle entirely. Passkeys, and their physical cousins like YubiKeys, never give you a code to type, which means there is nothing for a fake page to ask you for. Your device performs a cryptographic handshake directly with the website, and the handshake is bound to the site's real address. Point it at a counterfeit domain and it simply fails, no matter how convinced you are.
That property, phishing resistance, is not an incremental improvement. It removes the human judgment call from the loop, and the human judgment call is what every modern phishing attack targets. Passkeys are now supported by Apple, Google, and Microsoft accounts and a fast-growing share of major services, usually via your phone's fingerprint or face unlock. They cost nothing and are typically faster than typing a code.
- Your email account gets the strongest option it supports, today. Every password reset flows through it, so it is worth more than any other single account.
- Banking and anything holding money, including crypto: passkey or hardware key where offered.
- Everything else: authenticator app where offered, SMS where it is not. Either beats a password alone.
One rule that outranks the ladder
A code you were asked for is a code being stolen. Legitimate services send codes when you initiate a login. They do not call you, text you, or email you asking you to read a code back "to verify your identity." Anyone requesting a code from you, however plausible the story, is on the other end of an attack in progress. Hang up, close the message, and log in directly yourself.